My next class:

Venmo Phishing Abusing LinkedIn "slink"

Published: 2023-02-13. Last Updated: 2023-02-13 17:53:56 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Recently, I have seen more and more phishing for Venmo credentials. Venmo does use SMS messages as a "second factor" to confirm logins from new devices but does not appear to offer additional robust authentication options. The 4-digit SMS PIN and the lack of additional account security may make Venmo users an attractive target.

Thanks to Charles for the latest example. The email isn't all that remarkable. It uses the threat of an unauthorized transaction to create urgency and trigger a click. The initial link leads to a valid LinkedIn URL:

https[:]//www[.]linkedin[.]com/slink?code=edEeg35T*mwmw918508

This "trick" to use "slink"s has been documented at least as far back as 2016. LinkedIn last year in reply to an article by Brian Krebs, stated that they police these links for links to known malicious sites. However, the site this link redirects to has been marked malicious by Safe Browsing for at least half a day. You need to be a LinkedIn business customer to use a "slink" with LinkedIn. It is unclear if the attacker used a compromised LinkedIn account or if they set up an account of their own. I did not see a simple way to look up the "owner" of an slink.

The next step leads to a compromised and likely abandoned WordPress site:

https://transpfunerario.com/wp-css.php?eaea

The victim is immediately redirected again to the actual phishing site:
 

https[:]//scrtld[.]5e2e9c52158bba90e8ceecf7c-13618[.]sites[.]k-hosting[.]co[.]uk/account/sign-in?key=0762e7ca08a5a93a659bffb6558407d7

k-hosting.co.uk is operated by the low-cost hosting company Krystal. 

The phishing, in this case, attempts to capture not just the username and password of the user but also credit card and bank information.

Due to the use of LinkedIn, the Venmo phishing email and link was not flagged as malicious. A user would only be blocked from the imposter's website due to safe browsing blocking the redirect site. LinkedIn and Krystal were notified of the malicious use of their services.

[1] https://krebsonsecurity.com/2022/02/how-phishers-are-slinking-their-links-into-linkedin/
[2] https://www.avanan.com/blog/shortened-linkedin-url-used-for-phishing

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|

Keywords: linkedin slink venmo
0 comment(s)
My next class:

Comments


Diary Archives